Nim Security

Security practices for Nim including memory safety, input validation, and safe FFI usage

Nim

Security

Use in Builder All Nim Options

Details

Language / Topic

Nim

Rules

Nim Security · balanced balanced

- Enable `--checks:on` in all builds except the most performance-critical paths — this enables bounds, overflow, and nil dereference checks at runtime.

- Never use `cast[T](x)` on untrusted input — it bypasses the type system entirely; use `safeCast` from the `typetraits` module or validate before casting.

- Validate all external input lengths before passing to fixed-size buffers — use `string` and `seq` (which bounds-check) instead of raw `cstring` for user-controlled data.

- When wrapping C libraries with `{.importc.}` and `{.header.}`, always document the ownership semantics — use `{.destructor.}` hooks to prevent resource leaks across the FFI boundary.